For companies who have both US-based clients and international clients, compliance may seem like a cumbersome task. Whereas SOC audits meet the needs of US-based clients, international clients are increasingly asking for ISO 27001 reports. The ISO 27001 standard was developed to provide a consistent model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The ISMS is not a one-size-fits-all system. Rather, the design, implementation, monitoring, and maintenance of an organization’s ISMS should be based off of their unique needs and requirements.
The ISO 27001 standard adopts the “Plan-Do-Check-Act” (PDCA) model, which is applied to structure all ISMS processes.
- Plan (establish the ISMS): Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.
- Do (implement and operate the ISMS): Implement and operate the ISMS policy, controls, processes and procedures.
- Check (monitor and review the ISMS): Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.
- Act (maintain and improve the ISMS): Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
The CyberGuard Compliance Audit Process
Our team will work closely and collaboratively with your team to determine which sections of the ISO 27001 standard apply to your operations. CyberGuard Compliance can assist your company with the following ISO 27001 audit activities:
- Pre-Assessment: Our pre-assessment process is tailored for the needs of companies undergoing the ISO 27001 audit for the first time. As part of the pre-assessment, we will review of your ISMS and its operation as a rehearsal for the future audit. As part of this work, we will review key documents review and interviews key employees. The pre-assessment will assess the degree of conformance of your system to the IS 27001 standard and provide a recommendation of a go or no-go decision to undergo the certification audit. You will receive a report of any findings and remediation requirements to bring your ISMS into conformance with the ISO 27001 standard. The pre-assessment report will reveal non-conformities, so you have time to address those prior to starting the formal certification audit.
- Stage 1 Audit: During this stage, we will review your company’s documentation to confirm that it is in compliance with the requirements of ISO 27001.
- Stage 2 Audit: During this stage, we will perform a formal certification assessment of the ISO 27001 standard against your ISMS, ultimately leading to certification. We will assess your documentation and controls to ensure your ISMS is fully operational.
- Surveillance Audit: Certifications are valid for 3 years. To ensure ongoing conformity of your ISMS with ISO 27001, we will perform surveillance audits for two years following the certification.